一. Open××× 安裝環境
Server 端的環境
redhat, kernel版本: 2.4.20-31.9, IP 為 70.8.7.6
kernel 需要支援 tun 裝置, 需要加載 iptables 子產品.
檢查 tun 是否安裝:
代碼:
[email protected] [/]# modinfo tun
filename: /lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o
description:
author:
license: "GPL"
如果沒有 modinfo 指令, 直接找一下, 看看 kernel 裡是否有 tun.o 檔案:
代碼:
find -name tun.o
./lib/modules/2.4.20/kernel/drivers/net/tun.o
檢查iptables 子產品, 檢視是否有下列檔案:
/etc/init.d/iptables
OpenSSL。如果需要啟用 SSL 連接配接,則需要先安裝 OpenSSL。安裝 OpenSSL 的方法在這裡不做介紹,具體可以用 Google 搜尋。CentOS 下可以用 yum install:
yum install openssl
yum install openssl-devel
安裝的 Open××× 的版本: 2.0.5. 現在似乎已經有一個更新的版本了. 可在http://open***.net 上下載下傳.
Client 端的環境:
Windows XP PRO SP2
Open××× GUI For windows 1.0.3 , 可在 open***.se 下載下傳
注意: Open××× GUI for windows 的版本要和 Open××× Server 的版本配套.
例如, 伺服器裝的是 Open××× 2.0.5, 那麼下載下傳的 Open××× GUI fow windows 應該是: open***-2.0.5-gui-1.0.3-install.exe
Open××× GUI的所有曆史版本: http://open***.se/files/install_packages/
二. Open××× 服務端安裝過程
http://www.xiaohui.com/dev/server/20070514-install-open***.htm
用 SecureCRT 登入到 host, 進入根目錄 代碼:
cd /
下載下傳 LZO,解壓到lzo-2.02.
位址: http://www.oberhumer.com/opensource/lzo/download/ 代碼:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
下載下傳 Open×××, 解壓到open***-2.0.5
位址: http://open***.net/download.html 代碼:
wget http://open***.net/release/open***-2.0.5.tar.gz
安裝 LZO 代碼:
cd /lzo-2.02
./configure
make
make check
make install
安裝 Open×××
代碼:
cd /open***-2.0.5
./configure
# 或用指定dir: (注:下述指令, 應該在一行寫完. 為了友善顯示, 這裡分成了四行)
# ./configure --with-lzo-headers=/usr/local/include
# --with-lzo-lib=/usr/local/lib
# --with-ssl-headers=/usr/local/include/openssl
# --with-ssl-lib=/usr/local/lib
make
make install
生成證書Key
初始化 PKI
(如果沒有 export 指令也可以用 setenv [name] [value] 指令)
代碼:
cd /open***-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="xiaohui.com"
export KEY_EMAIL="your-email [at] xiaohui.com"
Build:
代碼:
./clean-all
./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] xiaohui.com]:
# 建立 server key 代碼: 代碼:
./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] xiaohui.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:xiaohui.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'xiaohui.com'
organizationalUnitName:PRINTABLE:'xiaohui.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'your-email [at] xiaohui.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成用戶端 key
代碼:
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每個不同的 client 生成的證書, 名字必須不同.
Email Address [your-email [at] xiaohui.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:xiaohui.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'xiaohui.com'
organizationalUnitName:PRINTABLE:'xiaohui.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'your-email [at] xiaohui.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次類推生成其他用戶端證書/key
代碼:
./build-key client2
./build-key client3
注意在進入 Common Name (eg, your name or your server's hostname) []: 的輸入時, 每個證書輸入的名字必須不同.
生成 Diffie Hellman 參數 。代碼:
./build-dh
将 keys 下的所有檔案打包下載下傳到本地
代碼:
tar -cf mykeys.tar /open***-2.0.5/easy-rsa/keys
cp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar
将 mykeys.tar 移到 web public(絕對路徑因人而異) 上, 然後用 http://www.a.com/mykeys.tar 方式将其下載下傳到本地儲存, 然後将其從server删除: 代碼:
rm /home/xiaohui.comsys/public_html/mykeys.tar
也可以用其他方法把 key file搞到本地,例如 ftp.
建立服務端配置檔案
從樣例檔案建立:
代碼:
cd $dir/sample-config-files/ # 進入源代碼解壓目錄下的sample-config-files子目錄
cp server.conf /usr/local/etc # cp伺服器配置檔案到/usr/local/etc
vi /usr/local/etc/server.conf
我建立的server.conf 的内容稍後另附.
建立用戶端配置檔案
代碼:
cd $dir/sample-config-files/ #進入源代碼解壓目錄下的sample-config-files子目錄
cp client.conf /usr/local/etc #cp用戶端配置檔案到/usr/local/etc
vi /usr/local/etc/client.conf
我建立的client.conf 的内容稍後另附.
啟動Open***: open*** [server config file] 代碼:
/usr/local/sbin/open*** --config /usr/local/etc/server.conf
三. Open××× GUI For Windows 用戶端安裝過程
安裝 Open××× GUI For Windows, 到 http://open***.se 下載下傳. 目前的版本是 1.0.3. 注意: Open××× GUI 的版本要和 Open××× Server 的版本配套. 詳見第一節一. 安裝環境中的說明.
依螢幕訓示安裝open*** gui.
配置 open*** gui
安裝結束後, 進入安裝檔案夾下的 config 目錄, 然後将上面第 10 步建立的 client.conf 檔案從 server 上下載下傳到此檔案夾, 并更名為 client.o***
同時, 将第8 步打包的 mykeys.tar 中的下列證書檔案解壓到此檔案夾:
代碼:
ca.crt
ca.key
client1.crt
client1.csr
client1.key
然後輕按兩下 client.o*** 即可啟動 open***, 或者通過 Open××× GUI 的控制啟動 ×××.
如果輕按兩下 client.o*** 沒有反應, 則在工作列點 Open××× GUI 的小圖示右鍵, 選擇 edit config, 将内容複制過去再儲存. 然後再點右鍵中的 connect即可.
如果需要第二台機器上使用 *** , 進行同樣的配置, 隻需要将 client1.crt, client1.csr, client1.key 換成對應的 client2.xxx 即可, 然後将 client.o*** 中的對應key檔案值改掉.
四. Open××× 配置樣例檔案
Open××× 服務端:server.conf
代碼:
local 70.8.7.6
port 1194
proto udp
dev tun
ca /open***-2.0.5/easy-rsa/keys/ca.crt
cert /open***-2.0.5/easy-rsa/keys/server.crt
key /open***-2.0.5/easy-rsa/keys/server.key # This file should be kept secret
dh /open***-2.0.5/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /open***-2.0.5/easy-rsa/keys/open***-status.log
verb 4
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10" # name server 位址, 如何擷取見随後說明
push "dhcp-option DNS 70.88.99.11" # name server 位址, 如何擷取見随後說明
說明: 有些 domain 被 GFW 封掉了, 這時, 如果要通路這些網站, 應該将 server 上的 DNS push 到 client. 上面示例中的 dns ip: 70.88.98.10, 70.88.99.10, 可以在 /etc/resolv.conf 中找到: 代碼:
vi /etc/resolv.conf
nameserver 70.88.98.10
nameserver 70.88.99.11
Open××× 用戶端: client.o***
代碼:
client
dev tun
proto udp
remote 70.8.7.6 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
五. Open××× 通路外網的設定
打開路由 ×××連接配接成功後, 還需要設定路由, 才能透過×××通路Internet. 在 linux host 上添加路由: 代碼:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 70.8.7.6
/etc/init.d/iptables save
/etc/init.d/iptables restart
不同的機器,-o eth0 參數可能不一樣,具體可輸入 ifconfig 檢視,搞清 ip(70.8.7.6)所在的網卡号.
同時, 需要将 ip forward 打開. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 這種方式重新開機後無效. 先檢視一下:
代碼:
sysctl -a | grep for
#檢視結果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
如果你的主機上列數值不是為1, 則要将其改成1, 例如:
代碼:
sysctl -w net.ipv4.ip_forward=1
依此類推.
開啟域名伺服器
如果你需要通路一些已經被GFW封掉了域名的網站, 但你的 Open××× 伺服器沒有被封的話,那麼你需要在你的主機上開啟 name server, 并将 dns push 給 client。 一般的獨立主機, 都帶有 private dns server.
代碼:
rpm -qa | grep bind
/etc/init.d/named start
另外, 必須保證 server.conf 配置中, 有這三個配置:
代碼:
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10" # name server 位址
push "dhcp-option DNS 70.88.99.11" # name server 位址
當 client 連接配接成功後, 在 cmd 下執行 ipconfig /all, 應該有這類似這樣的輸出:
代碼:
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 2006年5月25日 5:13:52
Lease Expires . . . . . . . . . . : 2007年5月25日 5:13:52
六. 設定 Open××× 伺服器 reboot後自動啟動 open***
執行指令:
代碼:
vi /etc/rc.local
然後在最後面加入此行:
代碼:
/usr/local/sbin/open*** --config /usr/local/etc/server.conf > /dev/null 2>&1 &
七. Open××× 測試
你可以用 ××× 登入上去之後, 測試 MSN, QQ, IE 等網絡應用, 也可以嘗試通路一些被 GFW 禁掉的網站, 當然, 前提是你的 ××× 伺服器不在境内.
八. 使用 Open××× 的強烈注意事項
不建議用 ××× 登入 paypal 帳戶和 google adsense 帳戶. 否則有可能導緻帳戶受限或帶來其他風險.
十. 一些補充
2011.01.11 補充:今天用 yum -y update 更新了 CentOS 之後,發現 Open××× 連接配接不上去了,老是說使用者檢驗出錯。經檢查 server log,發現有以下日志:
Thu Feb 10 11:13:07 2011 us=3362 222.244.***.**:45771 TLS: Initial packet from 222.244.***.**:45771, sid=eec450eb 8673ceef
Thu Feb 10 11:13:10 2011 us=798063 222.244.***.**:45771 open***_execve: external program may not be called unless '--script-secur ity 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help t ext or man page for detailed info.
Thu Feb 10 11:13:10 2011 us=798127 222.244.***.**:45771 TLS Auth Error: user-pass-verify script failed to execute: /usr/bin/php - q /home/xiaohui/open***-manager/admin/open***-auth.php
Thu Feb 10 11:13:10 2011 us=798141 222.244.***.**:45771 TLS Auth Error: Auth Username/Password verification failed for peer
經查,原來是 CentOS 在進行 yum update 時,将 Open××× 也由2.0 更新到了 2.1。而 Open××× 2.1 最大的改變之一,就是加了一個 script-security參數。如果按我的這篇教程進行安裝,但裝的是 Open××× 2.1 及以上版本的話,記得在 server.conf 中再加上這麼一行配置即可:
script-security 3
轉載于:https://blog.51cto.com/shenyj/1381192